Some websites accessed via browser allow for file uploading via drag and drop functionality. In a drag and drop operation, a user selects a file on the information handling system and drags the file to a browser window for uploading via the browser. file encryption systems, such as virtual file systems, may implement an encryption algorithm and enforce encryption standards, set by a user or organization, when uploading files via a browser, including uploading of files performed via file drag and drop functionality.
|
1. A method for enforcing security on an information handling system, the method comprising:
detecting browser access of a managed site;
redirecting input/output file activity of the browser associated with the managed site from a default file system of an operating system of the information handling system to a virtual file system, wherein the input output file activity comprises requests to read data from or write data to a data storage of the information handling system, and wherein the requests are requests to read data from or write data to a same location of the data storage before and after redirection; and
preventing, by the virtual file system, the browser from retrieving an unencrypted file to be uploaded to the managed site.
11. An information handling system, comprising:
a processor; and
a memory coupled to the processor, wherein the processor is configured to perform steps comprising:
detecting browser access of a managed site;
redirecting input/output file activity of the browser associated with the managed site from a default file system of an operating system of the information handling system to a virtual file system, wherein the input output file activity comprises requests to read data from or write data to a data storage of the information handling system, and wherein the requests are requests to read data from or write data to a same location of the data storage before and after redirection; and
preventing, by the virtual file system, the browser from retrieving an unencrypted file to be uploaded to the managed site.
6. A computer program product for implementation on an information handling system, comprising:
a non-transitory computer readable medium comprising code to perform steps comprising:
detecting browser access of a managed site;
redirecting input/output file activity of the browser associated with the managed site from a default file system of an operating system of the information handling system to a virtual file system, wherein the input output file activity comprises requests to read data from or write data to a data storage of the information handling system, and wherein the requests are requests to read data from or write data to a same location of the data storage before and after redirection; and
preventing, by the virtual file system, the browser from retrieving an unencrypted file to be uploaded to the managed site.
2. The method of
3. The method of
4. The method of
5. The method of
7. The computer program product of
8. The computer program product of
9. The computer program product of
10. The computer program product of
12. The information handling system of
13. The information handling system of
14. The information handling system of
|
The instant disclosure relates to file management on information handling systems. More specifically, portions of this disclosure relate to encryption of files uploaded from information handling systems.
As the value and use of information increase, individuals and businesses seek additional ways to process and store information. One option available for such a purpose is the information handling system. An information handling system generally processes, compiles, stores, and/or communicates information or data for business, personal, or other purposes thereby allowing users to take advantage of the value of the information. Because technology and information handling requirements vary between different users or applications, information handling systems may also vary regarding what information is handled, how the information is handled, how much information is processed, stored, or communicated, and how quickly and efficiently the information may be processed, stored, or communicated. Variations in information handling system build and capabilities allow for information handling systems to be general or configured for a specific user or specific use such as financial transaction processing, airline reservations, enterprise data storage, or global communications. In addition, information handling systems may include a variety of hardware and software components that may be configured to process, store, and communicate information and may include one or more computer systems, data storage systems, and networking systems.
Along with the increasing value and use of information, the importance of security of information processed, compiled, stored, and/or communicated by information handling systems has increased. Information handling systems may be configured to implement encryption systems to encrypt files containing information before storing and/or transmitting files in order to enhance information security.
Users of information handling systems may use applications, such as web browsers, to upload and download files to and from the internet. When users upload files through browsers, the files may become accessible to others. For example, uploading files to a cloud storage provider provides that provider with access to the files' contents. Although the files may be protected from unintended views on a user's computer, the files' security is not guaranteed by the cloud storage provider. Thus, additional safeguards are needed to secure the files against loss of security during uploading using web browsers or other applications.
Shortcomings mentioned here are only representative and are included simply to highlight that a need exists for improved information handling systems, such as data centers and personal computing devices. Embodiments described herein address certain shortcomings but not necessarily each and every one described here or known in the art. Furthermore, embodiments described herein may present other benefits than, and be used in other applications than, those of the shortcomings described above.
Many users of information handling systems use applications to create, manage, and/or save files containing information. Encryption functionality of information handling systems may be designed to operate in the background with minimal user input. Encryption of the files secures the data against access by unintended recipients. Thus, improving the handling of encrypted files encourages a user to keep their data secure. One background technique is to direct file access through encryption systems, such as virtual file systems, which apply encryption and decryption without changing the user's workflow.
One application that may be used to transmit and receive files is the browser. Browsers are used to access websites from which files may be downloaded and to which files may be uploaded. Some websites allow users to upload files to be stored at a remote location, such as on a server at a data center, or to transmit their files to other information handling systems operated by other users. The security of information contained in uploaded files is important because of the public nature of the Internet and because the remote systems may be operated by people who should not have access to the contents of the uploaded files.
Some websites accessed via browser allow for file uploading via drag and drop functionality. In a drag and drop operation, a user selects a file on the information handling system and drags the file to a browser window for uploading via the browser. File encryption systems, such as virtual file systems, may implement an encryption algorithm and enforce encryption standards, set by a user or organization, when uploading files via a browser, including uploading of files performed via file drag and drop functionality. The encryption algorithm may be implemented in a transformer module, such as described in U.S. Pat. No. 9,110,963 to Burchett et al. and entitled “TRANSPARENT ADAPTIVE FILE TRANSFORM,” which is hereby incorporated by reference.
A drag and drop operation involving an unencrypted file may be prevented to preserve security of the content of the file. When a user engages drag and drop functionality of a browser by dragging a file to a browser window and dropping the file on a drag and drop area of the browser window, a browser drag and drop upload request for the file may be detected by an operating system (OS) level service. When the request is detected, the system determines whether at least part of the file to be uploaded is encrypted or whether the file to be uploaded is unencrypted. If the file is unencrypted, the browser may be prevented from retrieving the unencrypted file. The system may prevent the browser from retrieving the unencrypted file by hiding the unencrypted file from the browser. If the browser is unable to retrieve the file, the browser may instruct a user, such as through display of a popup window, to encrypt the file prior to upload. For example, the browser may instruct the user to select the file through an open file dialog box of the browser. The dialog box may provide the user an option to apply encryption of the file through the virtual file system prior to upload. Alternatively, accessing the file through the dialog box may cause the encryption of the file to occur automatically using the virtual file system. If the dragged file is already encrypted, the browser may be allowed to retrieve the file normally.
A list of managed websites may be maintained and used to determine when to apply the drag and drop security. The browser, a browser plug-in, other application, or a system service may be configured to monitor websites accessed by a user for access of a managed site. The list of managed sites may be selected by a user or by an entity controlling the information handling system. The list may include websites to which the user or entity desires to prevent uploading of unencrypted files. When access of a managed site is detected, input/output file activity associated with the managed site may be checked to prevent upload of unencrypted files. In some embodiments, the drag and drop requests on a managed website may be directed through the virtual file system. The virtual file system can determine whether the files are encrypted or unencrypted. When file input/output activity for a managed site is directed through a virtual file system, detection of a browser drag and drop file upload request may include detecting, by the virtual file system, input/output file activity associated with the managed site indicating a browser drag and drop upload request for the file. Alternatively, all file input/output activity from the browser may be directed through a virtual file system, regardless of whether the activity is associated with a managed site. In such cases, detecting a browser drag and drop upload request for a file may include detecting, by the virtual file system, input/output file activity from the browser indicating the browser drag and drop upload request for the file.
A computer program product may contain code to perform steps for uploading files and verifying an encryption status of files to be uploaded similar to those described herein. The code may be stored on a non-transitory computer readable medium. An information handling system may include a processor configured to perform steps for uploading files similar to those described herein and a memory coupled to the processor.
The foregoing has outlined rather broadly certain features and technical advantages of embodiments of the present invention in order that the detailed description that follows may be better understood. Additional features and advantages will be described hereinafter that form the subject of the claims of the invention. It should be appreciated by those having ordinary skill in the art that the conception and specific embodiment disclosed may be readily utilized as a basis for modifying or designing other structures for carrying out the same or similar purposes. It should also be realized by those having ordinary skill in the art that such equivalent constructions do not depart from the spirit and scope of the invention as set forth in the appended claims. Additional features will be better understood from the following description when considered in connection with the accompanying figures. It is to be expressly understood, however, that each of the figures is provided for the purpose of illustration and description only and is not intended to limit the present invention.
For a more complete understanding of the disclosed system and methods, reference is now made to the following descriptions taken in conjunction with the accompanying drawings.
For purposes of this disclosure, an information handling system may include any instrumentality or aggregate of instrumentalities operable to compute, calculate, determine, classify, process, transmit, receive, retrieve, originate, switch, store, display, communicate, manifest, detect, record, reproduce, handle, or utilize any form of information, intelligence, or data for business, scientific, control, or other purposes. For example, an information handling system may be a personal computer (e.g., desktop or laptop), tablet computer, mobile device (e.g., personal digital assistant (PDA) or smart phone), server (e.g., blade server or rack server), a network storage device, or any other suitable device and may vary in size, shape, performance, functionality, and price. The information handling system may include random access memory (RAM), one or more processing resources such as a central processing unit (CPU) or hardware or software control logic, ROM, and/or other types of nonvolatile memory. Additional components of the information handling system may include one or more disk drives, one or more network ports for communicating with external devices as well as various input and output (I/O) devices, such as a keyboard, a mouse, touchscreen and/or a video display. The information handling system may also include one or more virtual or physical buses operable to transmit communications between the various hardware and/or software components.
Information handling systems may execute software for management of the information handled. Information may be generated and manipulated by applications executed on information handling systems and may be stored in data structures, such as files. Applications, such as browsers, may be used to transmit files, such as by uploading files to a remote location via a website. OS-level file management systems, such as virtual file systems, may manage, organize, and protect files. One way to protect files is to verify encryption of files prior to transmission via a browser. In order to enhance ease of use and information security, file encryption systems may be configured to verify encryption of files uploaded by users through various browser systems, such as browser drag and drop file upload functionality.
A virtual file system may apply encryption and decryption algorithms to files either automatically or at the request of a user. The encryption and decryption algorithms may encrypt and decrypt portions of files or files in their entirety. A virtual file system may verify encryption of files uploaded via a browser. A system 100 for managing browser 102 access of files through implementation of a virtual file system 106 is shown in
A virtual file system may also be referred to as a call-back file system. A call-back file system can provide an extensible action pipeline that is applied to files dynamically as they are accessed from and saved to a data storage. For example, a call-back file system can be configured to allow an action or a combination of actions to be performed on a file in response to access of the file by an application. A data transform may be performed on a file in response to access of the file by an application and may include data compression and/or encryption. Data transforms may also include file-type transformation, rights management embedding, file name obfuscation, bulk upload, or a change of communications protocols. The call-back file system may also be configured to create a backup or a shadow copy of data accessed at a second location. The call-back file system may perform content filtering (e.g., removal of credit card or other personal or private data). The call-back file system may add or remove metadata. The call-back file system may be configured to add an entry to an audit log showing file activity. Various actions of the call-back file system may be set on an application-by-application basis, in response to the type of data access activity, in response to the content of the data being accessed, or the like. The call-back file system may be configured to perform file transform and record-keeping operations in the background with little input by a user. One example of a call-back system that may implement embodiments of the disclosed invention is given in U.S. Pat. No. 9,110,963.
Files may be uploaded via a browser using browser drag and drop file upload functionality.
A virtual file system may be configured to allow users to use drag and drop functionality of a browser to upload files. The virtual file system may verify that files to be uploaded via drag and drop functionality of the browser are encrypted prior to allowing the browser to retrieve and upload the files.
When the drag and drop file upload request is detected, the system determines at step 304 whether the file to be uploaded is encrypted. The virtual file system may determine whether the file to be uploaded is encrypted by examining an access path to a file, as discussed with respect to
File traffic from a web browser may be directed through the virtual file system to allow the virtual file system to detect file upload requests and verify encryption status of files to be uploaded. An example method 400 for directing traffic from a website through a virtual file system is discussed with respect to
The schematic flow chart diagrams of
If implemented in firmware and/or software, functions described above may be stored as one or more instructions or code on a computer-readable medium. Examples include non-transitory computer-readable media encoded with a data structure and computer-readable media encoded with a computer program. Computer-readable media includes physical computer storage media. A storage medium may be any available medium that can be accessed by a computer. By way of example, and not limitation, such computer-readable media can comprise random access memory (RAM), read-only memory (ROM), electrically-erasable programmable read-only memory (EEPROM), compact disc read-only memory (CD-ROM) or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to store desired program code in the form of instructions or data structures and that can be accessed by a computer. Disk and disc includes compact discs (CD), laser discs, optical discs, digital versatile discs (DVD), floppy disks and Blu-ray discs. Generally, disks reproduce data magnetically, and discs reproduce data optically. Combinations of the above should also be included within the scope of computer-readable media.
In addition to storage on computer readable medium, instructions and/or data may be provided as signals on transmission media included in a communication apparatus. For example, a communication apparatus may include a transceiver having signals indicative of instructions and data. The instructions and data are configured to cause one or more processors to implement the functions outlined in the claims.
Although the present disclosure and certain representative advantages have been described in detail, it should be understood that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the disclosure as defined by the appended claims. Moreover, the scope of the present application is not intended to be limited to the particular embodiments of the process, machine, manufacture, composition of matter, means, methods and steps described in the specification. As one of ordinary skill in the art will readily appreciate from the present disclosure, processes, machines, manufacture, compositions of matter, means, methods, or steps, presently existing or later to be developed that perform substantially the same function or achieve substantially the same result as the corresponding embodiments described herein may be utilized. Accordingly, the appended claims are intended to include within their scope such processes, machines, manufacture, compositions of matter, means, methods, or steps.
Burke, James M., Testerman, James D.
Patent | Priority | Assignee | Title |
Patent | Priority | Assignee | Title |
7640409, | Jul 29 2005 | International Business Machines Corporation | Method and apparatus for data migration and failover |
8542823, | Jun 18 2009 | Amazon Technologies, Inc. | Partial file encryption |
9110963, | Apr 10 2012 | Dell Products L P | Transparent adaptive file transform |
20030191938, | |||
20040003289, | |||
20050169073, | |||
20060184540, | |||
20080184148, | |||
20090249460, | |||
20100250892, | |||
20100318997, | |||
20120173655, | |||
20130268545, | |||
20130305039, | |||
20150324146, | |||
20160132528, | |||
20170171295, | |||
20180232396, | |||
CN104318179, |
Date | Maintenance Fee Events |
Jul 24 2024 | M1551: Payment of Maintenance Fee, 4th Year, Large Entity. |
Date | Maintenance Schedule |
Feb 09 2024 | 4 years fee payment window open |
Aug 09 2024 | 6 months grace period start (w surcharge) |
Feb 09 2025 | patent expiry (for year 4) |
Feb 09 2027 | 2 years to revive unintentionally abandoned end. (for year 4) |
Feb 09 2028 | 8 years fee payment window open |
Aug 09 2028 | 6 months grace period start (w surcharge) |
Feb 09 2029 | patent expiry (for year 8) |
Feb 09 2031 | 2 years to revive unintentionally abandoned end. (for year 8) |
Feb 09 2032 | 12 years fee payment window open |
Aug 09 2032 | 6 months grace period start (w surcharge) |
Feb 09 2033 | patent expiry (for year 12) |
Feb 09 2035 | 2 years to revive unintentionally abandoned end. (for year 12) |